Facebook Application Authentication

I’ve just spent some frustrating hours working with Facebook. Cutting a long story short, the objective was to integrate the News module of CMSMS with a Facebook page so that summaries of news stories would be posted onto the Facebook page. It’s been frustrating due to the number of bits that I had to pull together to make it work. This post is intended to help anyone else going through the process of integrating an application with the Facebook Graph API from a PHP server.

The Graph API it’s self is pretty simple to use and the Facebook Graph Explorer provides a great way of experimenting with the API. The bit that cost me time is obtaining an Access Token. In the Graph Explorer, this is achieved by just pressing a button. Within a real application, it’s not quite as simple! The process of getting a an access token is fully documented at https://developers.facebook.com/docs/howtos/login/server-side-login/ but there were a number of things I had to hunt for in addition. This post builds upon that page, indeed follows it’s structure but adds the bits I felt were not obvious.

I’ve stayed with the structure of the Facebook documentation and you should refer to that along with this post.The steps outlined by Facebook are

Step 1. Create a Facebook App

Step 2. Create basic PHP page

Step 3. Redirect the user to the Login Dialog to get an authorization code

Step 1. Create a Facebook App

I needed to define my application as “Website with Facebook Login” and then set both the Site url and App Domains fields to match the domain where my PHP code was running.

Step 2. Create basic PHP page

This “basic” PHP page needs to do two things:

a) Request authentication for the user

b) Once authenticated, perform the application logic

Step 3. Redirect the user to the Login Dialog to get an authorization code

Perhaps the single most crucial step

The PHP page get’s invoked in two different ways. The first is directly from our application (user clicks a link), the second is as a call-back from the Facebook authentication dialog. We determine which of these it is by examining a $_REQUEST parameter called code

[This relies on JavaScript being enabled. You could use location header(Location: $location); if no headers have yet been written]

Notice that one of the request parameters is &state. This is a random number which we add to the request to prevent Cross SiteRequest Forgery (CSRF). It needs to be stored in the $_SESSION so we can check it when we receive the authentication code back from Facebook in step 6.

$_SESSION['state'] = md5(uniqid(rand(), TRUE)); // CSRF protection

Step 4. Add Permissions to Login Dialog request

Step 4 is actually inluded in the previous step. It’s just the value of the scope parameter which is a list of required permissions. To get the name of the permissions: look at the names of the permissions in the dialog displayed from the Graph Explorer when you click Get Access Token

In our case, to update status on a page we needed:

$scope="publish_actions,manage_pages,publish_stream";

Step 5. Handle the response from the Login Dialog

When the user was redirected to the Facebook login dialogue, a redirect URL ( redirect_uri ) was specified. Once authentication is complete the page specified by that URL will be loaded. In our case, that is the same page we’ve been working with already.
If authentication was granted, the $_REQUEST["code"] will now contain a temporary authentication code.

Step 6. Exchange the authorization code for an Access Token

The code value is only temporary. You must exchange it for an access token.

At this point, you have an authentication code but you must swap it for an access token. We first make sure that the $_REQUEST['state'] value matches the one in our session to detect attempts at CSRF. Then, we use the Graph API to request the access token.